XSS vulnerability

[WFRM-ITStaff]

Hello, I bother you again,
for this problem:

#WordPress Progress Bar plugin <= 2.2.0 – Cross Site Scripting (XSS) vulnerability
– Vulnerability type: Cross Site Scripting (XSS)
-No Update Available

We wrote to Defender Pro and this is their response to the false positive:

The report comes from “Known vulnerabilities” scan module of Defender and for this particular scan we are actually using Patchstack vulnerability database and API.
This vulnerability is listed by them:

https://patchstack.com/database/vulnerability/progress-bar/wordpress-progress-bar-plugin-2-1-6-cross-site-scripting-xss-vulnerability

and that's why Defender picks it up.
The good news is that while they mark it as “medium severity”, it's also not reported as exploited so far

We can't change Patchstack database and we can't and shouldn't really add exceptions to scan on our end so in this case if the plugin developer claims it's not a “valid” vulnerability – you can choose to get it ignored by the plugins.

Ultimately though, it should the Progress Bar developer who would either patch the reported issue or – if they are sure it's a false positive – they should get in touch with the original vulnerability reported (as stated on the vulnerability report page linked above) or Patchstack directly to find a way to get the plugin delisted form there.

Kind regards,
Adams

---

I don't know if it can help you. I await updates and thank you very much

[jazzsequence]

Thanks, knowing they use Patchstack is helpful as I have some contacts over there I can ping if I need to. And especially since I applied to their vulnerability disclosure program already. I will keep this issue open to investigate further, but I still suspect it requires WordPress admin, contributor level access to exploit the vulnerability.

[jazzsequence]

Just a quick update confirming my suspicion -- the vulnerability is only exposed after a WordPress login as at least a contributor (see "Required Privilege" in the screenshot below). This is because in order to add the malicious code, you need to have the ability to write posts, so, it's not so much an exposure in itself as much as it is a way to insert bad code in an already-compromised site. And, since I didn't adjust the output of the widgets in the last release, I suspect that that's where the remaining XSS vulnerability is. And if not, I can talk to the folks at Patchstack.

[jazzsequence]

I've added unit tests that check against XSS attacks (see #15). The tests are passing with the output stripped as expected. I've contacted Oliver at Patchstack to get more information about the report.

[jazzsequence]

Addendum: Found the vulnerability by adding more unit tests against XSS edge cases. I am working on it now and should be able to have an update later today.